As Seen in CFO Studio Magazine Q4 2016 Issue
THE HACKER THREAT IS A TOP CONCERN, BUT CFOS CAN PUT MEASURES IN PLACE TO PROTECT DATA
Keeping an organization’s computer network safe from hackers used to be in the hands of the IT department, but as cyberterrorism becomes a bigger and bigger threat, more CFOs are shouldering a large part of the responsibility. According to Lynn Calhoun, CFO of BDO, USA, LLP, which provides assurance, tax, financial advisory, and consulting services: “This shift is due, quite simply, to the costs and risks involved in a cybersecurity breach.” While IT people certainly play a critical role in preventing and responding to such an attack, “the CFO—as well as others in the organization— is getting pulled into the discussion to balance costs, risk, and overall investment.”
Mr. Calhoun spoke on “Digital and Info Risk: Threats, Cost, and Opportunities for World-Class Companies” at a World-Class Companies CFO Dinner, part of CFO Studio’s Executive Dinner Series, held recently at Morton’s The Steakhouse in Chicago. CFOs from select Chicago-area companies attended the invitation-only dinner.
Mr. Calhoun began the evening’s discussion with this eye-opening observation: “Nobody really knows where the next threat is coming from.” He continued, “The sheer number of people out there spending volumes and volumes of time trying to figure out ways to hack into your system is far greater than the time you’ll ever have available to get into position to respond to those threats or prevent them from happening.”
He noted some of the typical, more common threats to cybersecurity, such as the ability to gain access to passwords, bank accounts, and credit card and social security numbers, but pointed out that today’s cyber terrorists are coming up with some unique and creative ways to solicit funds directly from an organization. “They have become quite adept at creating false emails that appear, on the surface, to be from someone of great authority in your company.” In most cases, the email is purportedly from the CEO, authorizing the CFO to make a payment to a particular entity with instructions to “get it done, and [you’ll] be filled in on all the details later.” Close inspection reveals such emails to be fakes, he said, but “they do look quite authentic to the untrained or very busy eye.”
An Ounce of Prevention
In an effort to stay a step ahead of the hackers, Mr. Calhoun said every organization must attempt to determine the source of real and perceived risk. “On a broad scale, you’ve got risk everywhere. But if you can narrow it down a bit, you’re more able to focus on what kind of breach in which sectors of the company will be most detrimental to your business.” This could be a direct attack where access to funds and resources has been acquired, he explained, or an indirect hit to reputation and brand.
While an organization can potentially guard against resource or monetary risks, it’s very difficult to do the same in the area of reputational risk. As an example, Mr. Calhoun cited the massive data breach at a large, national retailer about a year and a half ago, in which upwards of 110 million people had sensitive, personal information stolen or compromised during the holiday shopping rush. “Immediately, the public thinks the retailer isn’t protecting its data. That’s not necessarily grounded in the facts, and there’s no knowledge of what steps were taken before and after the attack, but all of a sudden their reputation is at risk of becoming tarnished.” All any company can do, he said, is “address the risks as best as possible to ensure that few, if any, breaches occur, and that damage to reputation is limited.” He added, “It’s a real challenge to balance the risks and the costs to prevent such occurrences.”
Jim Willard, an Executive for California-based Tidemark, a private-enterprise performance management company, and a CFO Studio Business Development Partner, found it thought-provoking that attendees seemed most concerned with the damage an attack could cause to their brand. “It almost outweighed the concern of the actual breach itself, and the impact on the data and the ensuing monetary consequences.”
Mr. Willard noted that “attendees seemed to feel they could effectively mitigate the risk of the tangible and monetary damages through their practices, procedures, and infrastructure improvements, but the open-ended risk of damage to brand is still out there.”
Mr. Calhoun questioned whether the public cares about cyberterrorism threats and attacks anymore, as there are so many instances of these in the news. He noted that even the media seems to have stopped focusing on the topic. “It’s become almost a way of life, and people, themselves, have had their individual systems hacked, so it’s possible we’ve become somewhat numb to it.” He said perhaps the risk of reputational harm is lower than before, just by “the pure numbing of the public.”
Up in the Air
The discussion really heated up when Mr. Calhoun questioned whether or not storing data in the cloud offers a greater or a reduced risk of cybersecurity attacks. “We were all unclear which was safer,” he recalled in a subsequent interview. Some attendees felt that the cloud environment might be the more secure option, because the third-party organizations providing cloud storage have a great deal invested in preventing attacks, as their future and livelihood depend on it. On the other hand, “Some of us, myself included, thought there was increased risk when your data resided somewhere other than where you can directly control it,” said Mr. Calhoun.
Scott Settersten, CFO of Ulta Beauty, a retailer of cosmetics and salon services, attended the dinner and said in an interview, “My perception always was that I’m more at risk if I keep my data in the cloud than if I keep it under my own lock and key, but that’s probably not the case because the people that are maintaining this data have better security than I’ll ever be able to afford, simply because that’s their core business.” (Settersten, the subject of an article that recently appeared in CFO Studio magazine, will lead a discussion at a CFO Studio Executive Dinner in Chicago later this year.)
Shiwali Varshney, CFO at Vosges Haut-Chocolat, a super-premium chocolate manufacturer and retailer, said that regardless of her uneasiness with cloud computing, “we have to go there eventually, because that’s where business processes are headed. Plus, it’s more cost effective to do so.” While she is confident that the companies providing the storage service are encrypting data and making every effort to ensure that data is secure, “I know there is inherent risk when data is stored in the cloud. But I know that if we want to be productive, we need to utilize the cloud-based solutions to be more collaborative and efficient.”
Ms. Varshney went on: “How we manage that risk, and how much money we spend managing it, is becoming crucial to understand. This is where my concern lies.” She also noted that “there has been a big change toward how we handle operational risk management and training. It’s shifting more toward cybersecurity training” with disaster training programs focusing on responding to data leaks. She called it a “sign of the times,” and added, “I want to invest in training people to move into this next millennium.”
As the conversation continued, some in attendance revealed that they had purchased cybersecurity insurance. This is a relatively new marketplace, Mr. Calhoun noted, and “it’s really evolving for those selling it and those buying it, as both try to figure out what exactly they’re insuring and how much to charge and pay for it.”
He added that the idea of insurance coverage against cybersecurity threats is a pretty good one, given the uncertainty of it all, and because it is possible to identify how some costs relate directly to certain risks. “Whether it’s the cost of notifying individuals who may have been impacted, or the expense of taking additional steps within your networks to correct it and prevent it from happening again, there are indeed some areas where you’re better off having insurance coverage to protect yourself than not having it at all.”
As for the extent of that coverage, Mr. Calhoun advised companies to “lean toward buying more than you need, just because of the uncertainty of what’s really necessary.” Better to have more than you’ll ever need, he said, than to be caught with less.
The increase in cybersecurity threats and attacks is providing an opportunity for organizations to take a good, long look at increasing their level of security, said Mr. Calhoun, “which is definitely a good thing.” And it happens to be a good time, he said, to “take a step back and examine, for example, access into your systems: Do you use password security and what do you do with that? What information do you actually store? Would it be better to not store some data on a permanent basis? Do you use firewalls or VPNs (virtual private networks)?”
These are all ways, he pointed out, to be more alert, attentive, and aware of security issues. “You may have looked at some of these items, like firewalls, for instance, as an inconvenience to personnel, or as an additional cost layer that you just don’t need. But when you start viewing them from a cybersecurity standpoint, those digital barriers become very good things to implement within your organization for all the right reasons.”
Mr. Calhoun said he hoped participants walked away with an appropriate level and balance of fear that may have gotten accentuated, based on what was discussed. “In addition, maybe a little clarity was gained around potential solutions that exist to address that fear, whether that be in the area of insurance coverage or a new way to look at cloud computing.”
Peg Koenigs, Senior Vice President and CFO at the Federal Reserve Bank of Chicago, said in an interview after the dinner that she believes a majority of companies across the globe are concerned with the ever-increasing threat of cyberterrorism. She added that it was interesting to see that “CFOs are taking an active role in this, and that it is clearly a new responsibility for CFOs across the board.”
Ms. Koenigs said she assumes that, universally, every organization is thinking about, experiencing, and making efforts to shore up cybersecurity, and some of this is happening in the office of the CFO. “It’s expected of all of us CFOs to protect the data. Certainly, it’s a risk we think about and it sure is part of my responsibilities.”
Mr. Calhoun closed the discussion by acknowledging that cyberterrorism is “one of those areas that tends to get pushed to the back burner as other issues take precedence and you get busy in your routine day-to-day.” He admits it’s easy to lose sight of it a little bit, but cautions that “it does need to be elevated within your organization to the appropriate level to get people’s attention.”